5 GDPR areas you might not have considered

GDPR has now been in full effect for a month, and Ticketmaster could land itself in hot water over its recent data breach. Monzo, the digital bank, has claimed Ticketmaster knew about the breach long before it was disclosed.

Many businesses don’t consider themselves prepared despite the past deadline; 60% of businesses state they are not “GDPR ready”, according to a Populus survey.

There’s no need to despair; GDPR compliance is a journey rather than something you could deem complete on 25thMay 2018. Here are some key areas for consideration if you’re still not fully compliant with GDPR.

Don’t do nothing

The worst thing a business can do about GDPR is nothing. The GDPR requires businesses to put in place “appropriate measures” to secure the PII data that they hold. Data breaches could still occur even if you put in place the most robust security solutions available, because hackers are getting cleverer and more sophisticated. The ICO won’t punish every business that experiences a data breach.

The GDPR clearly states that doing nothing is the worst thing you could do (or not do). If your business experiences a data breach – deliberate or accidental – you must report it to the ICO and prove that you put those “appropriate measures” in place; that is more important to the ICO.

Train your workforce

It’s easy to forget that not all data breaches come at the hands of clever cyber criminals. It’s important to know that 30% of all data breaches are down to employee error, according to Beazley. What’s more, when your business falls victim to a cyber-attack, there’s a 90% chance that there was an employee error somewhere down the line – whether that’s losing a device or clicking on a malicious email link and unknowingly infecting your IT estate with malware like Ransomware.

The key factor to remember is that your employees are both your first and final line of defence. They are the people that can keep your data safe, or the ones that could put it at risk through negligence or naivety. Education is critical to ensure your workforce is aware of the risks associated with data. You can do this in a number of ways, from mandatory training to simulated phishing attacks, whereby you create a realistic-looking but fake email and test how well your staff can spot email-borne threats. If a member of staff falls for the attack, they are directed to training to ensure it doesn’t happen again.

Implement removable device policies

Thanks to their proliferation and portability, removable storage devices can make GDPR compliance seem almost unmanageable. Bring Your Own Device (BYOD) policies and the increasing number of portable devices afforded to staff members (all colleagues at TSG work on laptops rather than desktop PCs) increase the risk of lost or stolen devices.

As a business, you should strongly consider implementing a removable storage policy which follows best practice guidelines around portable devices. You could choose to disallow personal storage devices, add any removable device to your Asset Register and encrypt them. This allows you to track all devices should one be lost or stolen, and follows the GDPR guidelines of encryption.

Implementing a cloud-based document management solution can remove the requirement for portable storage devices at all; why would your employees need USB sticks when they can access all of their important files wherever they are?

Know your reporting obligations – and stick to them

It’s unclear whether Ticketmaster breached the GDPR reporting requirements; while Monzo Bank informed the company of a potential breach in April, we don’t know whether Ticketmaster reported it immediately to the ICO or not.

The GDPR requires businesses to report data breaches that pose a risk to the data subjects – which was the case in this hack as bank card information was stolen and used fraudulently – to the Information Commissioner’s Office (ICO) within 72 hours of discovery, not the breach itself. Businesses must also inform the data subjects, the people whose data was breached, in the same timeframe if it poses a risk to them.

The highest fines are unlikely to be implemented

You could argue that with GDPR, a mountain has been made out of a molehill. Start-ups and small businesses are fearful that a breach could wipe out their entire company. And while it’s true that the ICO will have the power to impose these fines, the Commissioner has already stated that business will not be used as an example. It’s only in the most severe cases, with multiple serious breaches, that the ICO would consider the highest penalties.

To avoid an eye-watering fine, businesses must take heed of GDPR and implement processes, policies and where possible, security solutions. If you’ve implemented no security measures in the face of GDPR, that is considered a bigger breach of the regulation than any data leak. That’s a point worth remembering.

GDPR compliance is a journey and going forward, businesses must remember to review policies and processes on a regular basis. Take heed of the Ticketmaster breach and ensure you don’t fall foul of the General Data Protection Regulation.